Hacker News new | past | comments | ask | show | jobs | submit login

Actually I was just answering the "parsers for what" question.

FWIW, I think LangSec is saying "Code that doesn't have remote code execution vulnerabilities[0], or limits them to a weak computational model[1], is better than code with RCE vulnerabilities." - which is also "Well, no shit." - and "Parsing a nontrivial data format is the same thing as executing a (not-necessarily-)very constrained programing language."[2] - which seems obvious to me, but could plausibly be a "superpositions don't collapse"-level epiphany for someone who doesn't think about parsing the right way.

0: such as javascript or stack execution

1: like FSMs or pushdown atomata

2: with the implication that you had better make sure it actually is very constrained




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: